Use of Shibboleth by ARCS
|
|
- Lucy Owen
- 6 years ago
- Views:
Transcription
1 Use of Shibboleth by ARCS Neil Witheridge Manager, ARCS Authorisa7on Services Internet2 Members Mee7ng, Fall, October 2009
2 Overview Australian HE Research & ARCS Background ARCS reliance on AAF: Current AAF Status ARCS & Other Research Services Grid, Data, Collabora7on; Research Domain Specific AAF interoperability with the Grid Grid Security Infrastructure, Short Lived Creden7al Service Authen7ca7on and Authorisa7on Scenarios ARCS Authorisa7on Services Strategy Future Plan: PaRerns and Solu7ons HE: Higher Educa7on ARCS: Australian Research Collabora7on Service AAF: Australian Access Federa7on
3 Australian HE Research Infrastructure Investment 1998: Australian Partnership for Advanced Compu7ng APAC responsibility included Australian Grid Services 2001: Systemic Infrastructure Ini7a7ve Focus on Data, Repositories, Access (included MAMS project) 2005: Na7onal Collabora7ve Research Infrastructure Strategy (NCRIS) Delivery of Na7onal, Discipline based capabili7es PlaZorms for Collabora7on (PfC) (includes ARCS, taking over APAC role) 2009: Educa7on Investment Fund Super Science
4 PlaZorms for Collabora7on (PfC) PfC is an NCRIS Capability Whole fabric research collabora7on infrastructure Grid (HPC, Data), Data, Federa7on, Collabora7ve tools, Network ARCS: Australian Research Collabora7on Service Established 2007 ANDS: Australian Na7onal Data Service NCI : Na7onal Computa7onal Infrastructure AAF: Australian Access Federa7on NREN: Na7onal Research & Educa7on Network (AARNet)
5 ARCS Overview ARCS Services Teams Systems Services (Grid Services, Systems deployment) Data Services (ARCS Data Fabric) Collabora7on Services (collabora7ve tools e.g. VideoConf, CMS, SW Dev) Authorisa7on Services (Research group authn & authz requirements analysis, authorisa7on advice & infrastructure, exemplars, solu7ons) ARCS Mission long term eresearch support, services and tools Members of ARCS state based research infrastructure VPAC, Intersect, QCIF, ivec, SAPAC, TPAC, ANU, CSIRO Customers: Research groups and service providers Na7onal, discipline based research groups, including PfC partners (AAF, ANDS, NCI)
6 ARCS Authorisa7on Services Role Support Research Groups and Service Providers in delivering services relying on authen7ca7on and authorisa7on (authnz) Analyse requirements, and provide exper7se, advice, exemplars Exemplars (demonstrate what can be done to protect resources) Implement (procure/develop) and deploy authnz solu7ons sa7sfying research groups and service provider s security requirements Provide customer support for ARCS Authorisa7on Services ARCS CA s, ARCS IdP, ARCS SLCS Server & Clients, ARCS Access Service Develop and pursue a unified strategy for authnz Apply secure technologies and protocols Apply Federated Access (i.e. Shibboleth) to achieve integra7on with the AAF Apply Grid Security Infrastructure Analyse access scenarios and iden7fy parerns & solu7ons
7 Australian Access Federa7on Origins of Aust n HE use of Shibboleth MAMS project delivered an opera7onal Federa7on MAMS Level 2 Testbed Federa7on zero policy federa7on (no policy based Trust) Now, CAUDIT s Pilot AAF Project CAUDIT: Council of Australian University Directors of IT Adop7ng SWITCH Federa7on infrastructure Resource Registry, Discovery Service, uapprove etc. Policy framework established Rules for Par7cipants AusCERT will provide a PKI for Australian HE
8 AAF Schedule Pilot AAF Status Technical Infrastructure & Policy Framework in place Currently Migra7ng IdPs and SPs from MAMS Level 2 Testbed to Pilot AAF Requirement for IdPs and SPs to agree to Rules for Par7cipants Best Endeavours i.e. self asserted compliance (as described in ) AAFInc incorporated as an Associa7on Domain names, Trademarks etc. being procured Tendering process for AAF Operators will commence 4Q09 Produc7on AAF due to be deployed 1H10 Updated Policies, stricter compliance, audi7ng
9 ARribute Usage in the AAF aueduperson schema AAF Mandatory ARributes (as described in Rules for Par7cipants) End user arributes edupersontargetedid, auedupersonsharedtoken o, cn, mail, displayname edupersonaffilia7on, edupersonscopedaffilia7on edupersonen7tlement edupersonassurance Other arributes Authen7ca7onMethod
10 ARCS use of auedupersonsharedtoken User Iden7fier required by ARCS Services (esp. Grid) Non targeted, federa7on unique, persistent iden7fier IdP releases same aepst value to all ARCS services for an end user ARCS Auth Svcs delivers technical components and processes for genera7on and portability of aepst Genera7on Uniqueness relies on sta7s7cal proper7es of hash func7on & unique inputs used to create aepst generated at IdP & stored in directory/database Portability When end user moves to different IdP, takes aepst value Use of signed statement of ownership for por7ng to new IdP Other mechanisms, including IdP IdP protocol, under inves7ga7on
11 ARCS IdP ARCS has established an IdP for users of ARCS services without a Federa7on IdP Registra7on web interface and process ARCS Registra7on Authority Iden7ty proofing involves internal vouching for iden7ty User confirma7on required by Shibboleth IdP Supports AAF mandatory arributes Genera7on & Portability of SharedToken
12 ARCS IdP Workflow 1.1 Web Browser end-user Registration Request 1.2 Confirmation by 2.1 Change password Registration Interface uid + password + attributes Registration Authority (RA) Password Management 1.3 On approval ARCS IdP 2.2 new password ARCS IdP Directory 3.3 * attribute release policy Shibboleth IdP 3.3 authn Discovery Service 3.2 * Web Browser end-user select IdP attribute query/ response 3.1 access Join ARCS IdP Password Management Federated Access to Service * Service Provider attribute acceptance/mapping policy 3.5 Web App access uid + password * Member of AAF
13 ARCS & Related Services (to date) ARCS Services Grid Services (Grid Security Infrastructure, Virtual Organisa7ons) Data Fabric (WebDAV client/server, irods service, Groups ) Collabora7on Services Comms & CMS/framework Tools (Web app s, Community/Groups) CMSs requiring integra7on with the Data Fabric Research Services Web enabled Grid Portals (Web portals requiring delegated authen7ca7on to Grid Services) OPeNDAP Services (Shib enabled server, access via Matlab, incl. scripted) Goal is for all to be accessible via the AAF
14 Grid Services Use of PKI Interna7onal Grid Trust Federa7on (IGTF) APGridPMA, EuGridPMA, TAGPMA (CA accredita7on agencies) Grid Security Infrastructure (implemented by Globus toolkit) IGTF X.509 Cer7ficate profiles: Classic X.509 (i.e. long lived, defined Registra7on process) Short Lived Creden7al Service (SLCS) Member Integrated Creden7al Service (MICS) APAC CA issues classic X.509 Cert s (following Registra7on) CA CP/CPS (Cer7ficate Policy / Cer7fica7on Prac7ces Statement) Specify iden7ty management requirements, format for dis7nguished names (DNs), private key management policy SLCS & MICS Cer7ficates (generate certs from Shib creden7als)
15 Research Services Access PaRerns PaRerns encountered so far: Federated access to Grid Services Federated access to Web applica7ons Federated access integra7on with non web applica7ons Access via standalone (e.g. Java) Applica7ons Access via Opera7ng System Components Federated Access involving Delegated Authen7ca7on Integra7ng Federated Authen7ca7on & batch mode (i.e. scripted) access
16 Marriage of Shibboleth and GSI Use of AAF Access, SLCS and Proxy Cer7ficates Grid interoperability using SLCS SLCS and Proxy cer7ficates deliver key authen7ca7on capabili7es SSO for non web services (SLCS and Proxy cert s) Delegated authen7ca7on using Proxy Cer7ficates Issues remain SLCS cer7ficate is cached authen7ca7on event SLCS cer7ficates without passwd protec7on
17 Grid Security Infrastructure Issuance of trusted X.509 Cer7ficate Signed by trusted root CA e.g. APAC CA, IGTF accredited IGTF policy requires password protec7on of private key for long lived cer7ficates Use of Proxy Cer7ficates Grid has pioneered use of proxy cer7ficates Cer7ficate signed by private key of end en7ty cer7ficate to be proxied Provides for Single Sign On Short lived cer7ficate, hence no need to password protect private key Delegated Authen7ca7on Proxy cer7ficate issued to service for delegated authen7ca7on
18 Classic Grid Cer7ficates PrivGS PubGS X.509 CA Certificate PubGS DNGS: host Grid Service (GSI-enabled) 2.1 Access Grid Service Trusted CA certs Trusted CA Bundle Mutual Authentication IGTF International Grid Trust Federation Trust PrivCA PubCA X.509 CA Certificate PubCA DNCA: Root CA Grid CA 1.3 Certificate Signing Request Grid Client (GSI-enabled) Note: password protection of private key end-user PrivEE PubEE 1.1 Request Grid Certificate Registration Process 1.2 Approval Certificate Issuance X.509 CA Certificate PubEE DNEE: end-entity 1.4 Grid Certificate classic X.509 Lifetime ~ 1 year Registration Authority Operator (RAO) Grid-User Registration Authority
19 Proxy Cer7ficates Storing a creden7al Provides for SSO and Delega7on PrivMP PubMP end-user Grid Client (GSI-enabled) 1.1 Request Put Proxy (with Grid Cert and authn credentials for retrieval) X.509 CA Certificate PubMP DNMP: host MyProxy Server PrivEE X.509 CA Certificate PubEE DNEE: end-entity PubEE 1.4 X.509 EE Certificate PubEE DNEE P : P end-entity Sign Proxy Certificate PubEE P 1.5 Upload Certificate Chain 1.3 Certificate Signing Request 1.2 Create Keypair PrivEE P PubEE P X.509 CA X.509 EE Certificate Certificate PubEE PubEE DNEE: DNEE P : P end-entity end-entity Trusted Grid CA
20 Proxy Cer7ficates retrieving a proxy for SSO 2.1 Access Grid Service Grid Client (GSI-enabled) Mutual Authentication, Client authn with Proxy PrivMP PubMP X.509 CA Certificate PubMP DNMP: host end-user PrivEE PubEE 1.1 Request Get Proxy (with MyProxy authentication credentials) MyProxy Server Note: No password protection of private key X.509 CA Certificate PubEE DNEE: end-entity PrivEE PP PubEE PP X.509 EE P Certificate PubEE DNEE PP : PP end-entity-pp X.509 EE Certificate PubEE DNEE P : P end-entity 1.2 Create Keypair PubEE PP Retrieve Proxy Certificate Chain Certificate Signing Request PrivEE P PubEE P X.509 CA X.509 EE Certificate Certificate PubEE PubEE DNEE: DNEE P : P end-entity end-entity X.509 EE P Certificate PubEE 1.4 Sign Proxy DNEE PP : PP end-entity-pp
21 Proxy Cer7ficates retrieving a proxy for Delega7on 2.1 Access Grid Service on behalf of end-user Mutual Authentication, Delegatee Service authn with Proxy Delegation Service (GSI-enabled) 1.1 Request Get Proxy (with MyProxy authentication credentials) Authorises Service to download proxy (provides credentials to authenticate to MyProxy to download proxy) PrivEE PP X.509 CA Certificate PubEE DNEE: end-entity PubEE PP 1.2 Create Keypair X.509 EE Certificate PubEE DNEE P : P end-entity 1.3 Certificate Signing Request PubEE PP X.509 EE P Certificate PubEE DNEE PP : PP end-entity-pp 1.5 Download Proxy Certificate Chain
22 Grid Authen7ca7on and Authorisa7on Cer7ficate DN is mapped to local account on cluster Use of AuthTool and GUMS (Grid User Management System) Several different architectures for authen7ca7on, but each convert to local account name under *nix. Authorisa7on and Virtual Organisa7ons Virtual Organisa7on Management System (VOMS) VOMRS extended u7lity by allowing delegated admin and mul7ple VO membership Extension of use of Proxy Cer7ficates (VOMS Cer7ficates) VO membership and role stored in non cri7cal extension of cer7ficate VO membership and role mapped to local user/group account
23 voms-proxy-info -all VOMS Proxy Example ARCS uses VOMRS for Virtual Organisa7on Administra7on subject : /C=AU/O=APACGrid/OU=VPAC/CN=Graham Jenkins/CN=proxy/CN=proxy/CN=proxy/CN=proxy issuer : /C=AU/O=APACGrid/OU=VPAC/CN=Graham Jenkins/CN=proxy/CN=proxy/CN=proxy identity : /C=AU/O=APACGrid/OU=VPAC/CN=Graham Jenkins/CN=proxy/CN=proxy/CN=proxy type : proxy strength : 1024 bits path : /tmp/x509up_u1000 timeleft : 11:59:53 === VO ARCS extension information === VO : ARCS subject : /C=AU/O=APACGrid/OU=VPAC/CN=Graham Jenkins issuer : /C=AU/O=APACGrid/OU=ARCS/CN=vomrs.arcs.org.au attribute : /ARCS/StartUp/Role=NULL/Capability=NULL attribute : /ARCS/Role=NULL/Capability=NULL attribute : /ARCS/NGAdmin/Role=NULL/Capability=NULL attribute : /ARCS/VPAC/Role=NULL/Capability=NULL attribute : /ARCS/NRI/Role=NULL/Capability=NULL attribute : /ARCS/Cloud/Role=NULL/Capability=NULL timeleft : 23:55:09 uri : vomrs.arcs.org.au:15001
24 ARCS Short Lived Creden7al Service ARCS Grid/AAF Integra7on: SLCS Service (Shib SP) IGTF Authen7ca7on Profile SLCS X.509 Profile Genera7on of Grid trusted X.509 cer7ficates based on end user arributes obtained via AAF authen7ca7on Access control based on IdP agreement to Usage Policy SLCS Client implementa7on ARCS Auth Svcs has implemented SLCS client java libraries Grid desktop clients, Grix and Grisu, include SLCS client in order for users to authen7cate via AAF Users need know nothing about key pairs, cer7ficates
25 SLCS Cer7ficate Format Plan for Level 1 and Level 2 CA s (Level 2 accredited by IGTF) SLCS Level 1 cer7ficate trusted within Australian Grid Services Level 1 cer7ficate issued if edupersonassurance value is not provided or equal to value for Iden7ty LoA = 1 Subject dis7nguished name (DN) DC components corresponding to SCLS CA (only Level 1 currently) i.e. DC=au,DC=org,DC=arcs,DC=slcs O component consis7ng of o arribute value e.g. O=ARCS IdP CN component consis7ng of cn arribute value and auedupersonsharedtoken arribute value e.g. CN=John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk Example DN value DC=au,DC=org,DC=arcs,DC=slcs, O=ARCS IdP, CN=John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk altsubjectname mail arribute value (valid address for user)
26 SLCS Client Implementa7on SLCS Client needs to generate key pair in secure file system loca7on Current java library implementa7on, and command line implementa7on using java library Client relies on Built in hrp client to interact with DS, IdP Screen scraping of IdP authen7ca7on interface Users entering IdP creden7als into non browser interface ARCS Grid clients: Grix and Grisu
27 SLCS Grid Cer7ficates Workflow Discover Service Identity Provider end-user 1.1 Enter IdP username & password Java application e.g. SLCS Command-line client PrivEE PubEE X.509 SLCS Certificate CA PubEE DNEE: end-entity SLCS Client Java library http client Shib SP Attributes used: auedupersonsharedtoken CN mail edupersonassurance SLCS Server VOMRS Startup VO SLCS Level-1 CA SLCS Level-2 CA ARCS Security Infrastructure
28 ARCS Data Fabric Effec7ve Data Management and Storage Cri7cal capability for Researchers, PfC focus Data Storage Solu7on: ARCS Data Fabric Distributed storage aggregated using irods (Integrated Rule Oriented Data System) Interfaces to irods CLI (icommands), GUI (irods Explorer), Web (irods Web Browser) Username/password or GSI authn DAVIS WebDAV and HTTP access
29 Data Fabric Workflow (access via DAVIS) Enter: IdP, username & password (a) 1.2 DS 1.3 IdP 1.5 ARCS Security Infrastructure end-user ARCS IdP/neil.witheridge *************** WebDAV client E.g. Windows Explorer (a) Considering using an ARCS Username and Password generated by ARCS Access Service for use in accessing ARCS Data Fabric 1.1 DAVIS PrivEE WebDAV Server SLCS Client PubEE X.509 SLCS Certificate CA PubEE DNEE: end-entity PubEE CSR SSL Mutual Authentication 1.8 SP 1.6 irods SLCS Server X.509 SLCS Certificate CA PubEE DNEE: end-entity SLCS CA Data Sources Data Fabric Infrastructure
30 ARCS Collabora7on Tools Content Management Systems & Frameworks Plone, Twiki, Confluence, Sakai, Drupal Integra7on with AAF and Data Fabric (links to DF resources) Communica7ons Tools EVO, Access Grid, Jabber What are the authen7ca7on and authorisa7on requirements Cost/benefit of integra7on with AAF authen7ca7on How much work, internal refactoring, to integrate Collabora7ve Sotware Development Tools Trac, SVN, Git, Hudson Web interfaces protected by Shibboleth. CLI s?
31 Plone Integra7on with AAF + Data Fabric AAF Integra7on Plone (Shibboleth enabled authen7ca7on) ARribute requirements for Plone SharedToken, mail, cn, displayname (genera7on of WikiName) Data Fabric Integra7on (requires GSI and Shibboleth) Requirement: Search for DF resource to link to Access irods via GSI to view and select DF resource Obtain user s SLCS cer7ficate, authen7cate with irods irods delivers list of resources accessibly by user Requirement: Access DF resource via link Link to protected resource, maybe user can t access Access via Davis, using Shibboleth SSO If authorised to access, Davis provides download dialog
32 Web Portal Access To Grid Resources Development by auscope of an AAF enabled Web Portal which requires delegated authen7ca7on to access Grid Service How can a portal obtain the user s SLCS cer7ficate proxy without user crea7on of SLCS? It can t. How about the portal genera7ng the user s SLCS cer7ficate? IGTF SLCS Profile specifica7on (Private Key Management) The SLCS authority shall issue X.509 short lived cer7ficates to end en77es based on cryptographic data generated by the applicant, or based on cryptographic data that can be held only by the applicant (e.g. on a secure hardware token; generated from a transient yet unique session handle retrieved from the applicant s encrypted session). (RFC3647: 6.1)
33 Approaches Considered & Prototyped SLCS Delega7on Service Portal generates the user creden7als i.e. keypair & requests and is issued a cer7ficate under the users DN Portal generates and manages the user s creden7als SLCS Proxy Service ARCS SLCS Proxy Service generates the user creden7als & requests a SLCS cer7ficate under the user s DN, & uploads the SLCS cer7ficate to MyProxy allowing the portal to retrieve a proxy cert signed by the user s SLCS cert. ARCS Service generates and manages the user s creden7als Portal obtains a proxy cer7ficate
34 SLCS Delega7on ARCS Security Infrastructure Shib IdP 4 attributes Shib SP SLCS Delegation Service 7 CSR SLCS CA 3 authenticate 2 Redirect to SLCS Delegation Service 6 SLCS Certificate Signing Request end-user EU Client webbrowser 1 10 http POST EU Access Response 5 8 SLCS certificate Authorisation token EU key-pair & SLCS cert Web Portal Service Grid & Delegation Service Client GSI 9 Access GSI Service with Delegated Authentication GSI Grid Service
35 SLCS Proxy ARCS Security Infrastructure Shib IdP 4 attributes Upload SLCS cert & enable Proxy Retrieval Shib SP SLCS Proxy Service EU key-pair & SLCS cert 6 5 CSR MyProxy SLCS CA 8 Proxy Certificate Request 3 authenticate end-user webbrowser 2 Redirect To SLCS Proxy Service MyProxy 7 Authentication cred s http POST 1 EU Access 11 Response Proxy key-pair & cert chain Web Portal Service GSI 9 Proxy certificate 10 Access GSI Service with Proxy cert. GSI Grid Service
36 Web Portal Delegated Access Becoming a common requirement Proposed change to IGTF Guidelines Genera7on and Storage of Private Keys on an appropriate computer system that is administered by a third party To be discussed at OGF27 next week. S7ll stringent requirements on 3rd Party handling of user s private keys If passed, SLCS Delega7on OK if Portal conforms to guidelines, and SLCS Proxy OK as ARCS will conform.
37 Access to OPeNDAP resources OPeNDAP server (Shibboleth enabled) Access to GeoSpa7al Data (Integrated Marine Observing System IMOS) Access typically via non web client tools such as Matlab Matlab uses OPeNDAP client library (Java, Python) Integra7ng AAF Authen7ca7on & Matlab access Considered Shibboleth Proxy Requires storing user s IdP cred s in a config file. Batch mode access to OPeNDAP resources Scripted invoca7on of Matlab with no end user interac7on Solu7on: use of SSL AuthN (user s SLCS Cer7ficate)
38 Matlab batch Mode Access To OPeNDAP resources (Use of SLCS Certificate for SSL Authentication) Gezng SLCS Cer7ficate 1.2 DS IdP 1.3 IdP username & password ARCS Security Infrastructure SP 1.5 SLCS Server 1.5 SLCS CA end-user PrivEE SLCS Client X.509 SLCS Certificate CA PubEE DNEE: end-entity PubEE 1.6 Matlab Client https client Using SLCS Cer7ficate SSL Mutual Authentication 2.1 Apache 2.2 auedupersonsharedtoken Service
39 Recap: Authen7ca7on Scenarios Examined Browser to web applica7ons (not many yet, Grid focus) SLCS Access to Grid Services (Cer7ficate life 7me issues, s7ll need to support access via classic cer7ficates) SLCS Client workflow (entering IdP creden7als into non browser UI s) Data Fabric access (passing IdP cred s to DAVIS via WebDAV) Web portals access to Grid Services (Delega7on issue) CMS (e.g. Plone)/AAF/Data Fabric Integra7on Non Web Client access to OPeNDAP services (Matlab ) Batch mode access to OPeNDAP services These address Authen7ca7on, not Authen7ca7on
40 ARCS Authorisa7on Scenarios How is authorisa7on currently performed for ARCS Services? Virtual Organisa7on Management for Grid VOMRS Data Fabric: Groups in irods Collabora7on Services: Groups in CMS s Recogni7on of need for Services to control access and authorisa7on rights Informa7on from IdPs not useful in general for authz
41 ARCS Access Service ARCS Access Service for ARCS Services Registra7on (assignment of Default Authorisa7on Rights) Tracking user communi7es (auedupersonsharedtoken) Allocate ARCS Username (ARCS Services unique name) consistent user naming across ARCS Services Caching arributes at 7me of registra7on Detec7ng arribute change (e.g. IdP, affilia7on) Authorisa7on Rights Management For non default Authorisa7on Rights Authorisa7on Rights tokens urn:<serviceidentifier>:<token value>
42 Shib-enabled Services SP Shib AuthN 2a end-user ARCS Access Service Query (SP, aepst, atts) 1 Shib AuthN Response (authz rights, ARCS username, Δatts) SP ARCS Access Service Shib attributes Registration Specify Services 2b Default Authorisation Rights non- Shib-enabled Services ARCS username & pwd AuthN ARCS Username ARCS LDAP AuthZ rights Shibboleth attributes ARCS username & pwd Authorisation Rights Management Attribute Change Detection IdP ARCS Registrar 1a Registration approval for chosen SPs Registration Process
43 ARCS Authorisa7on Services Strategy Avoid devia7ng from proven protocols Security analysis difficult, costly (so minimise) Analyse research services access and chains of authnz informa7on flow Iden7fy parerns and formulate solu7ons Adopt proven (security analysed) mechanisms Shibboleth GSI (X.509 cer7ficates, Proxy Cer7ficates) Classic, SLCS & MICS cer7ficates (IGTF profiles) Differen7ate Authen7ca7on and Authorisa7on parerns
44 ARCS Authorisa7on Services Strategy (cont d) Iden7fy secure enough (e.g. take lead from Grid) Hide PKI from end users Take heed of HE iden7ty management policies Don t require entry of creden7als into untrusted interfaces of storage in file system Prohibit shared iden77es (e.g. shared test account) Keep usage logs, allow self audi7ng Provide produc7on quality components to implement usable & reliable solu7ons. Track interna7onal trends and adopt & adapt
45 Abstrac7on and Classifica7on ARCS Authorisa7on Services is seeking to abstract Authen7ca7on and Authorisa7on workflows in HE research domain Iden7fy & document parerns & implement solu7ons Deliver (or recommend 3 rd party) produc7on quality libraries & tools for research service developers Acquire or construct required Middleware Shibboleth, GSI (or plain old SSL) enablement Apply incremental and itera7ve analysis and development to parerns & solu7ons Keep track of and in sync with global trends
46 Audi7ng and Auditability Importance of detec7ng intrusion & compromise Emphasize logging and audi7ng from ground up Allow self audits reports to users on ac7vi7es? Signed & encrypted for security Automated Detec7on Repor7ng unexpected ac7vity Respond to compromise alerts, iden7fy responsibility for forensics Open Ques7ons Would self audi7ng actually work in research community? U7mately, automated audi7ng is an important goal.
47 ARCS Auth Svcs Future Direc7ons Authen7ca7on Understand Shibboleth Roadmap and implica7ons New Shibboleth profiles (ECP, key holder) Understand Grid Roadmap and implica7ons Changes to Grid (OGSA i.e. Web Services, SOA) Use MICS (Long lived creden7als from Shib) & SLCS Authorisa7on Develop and u7lise the ARCS Access Service Inves7gate CoManage for Authorisa7on Rights Mgnt Inves7gate and deliver exemplars of use of XACML
48 ARCS Auth Svcs Future Direc7ons Tracking interna7onal trends in authn/z technology interoperability Authentication: t Shibboleth SAML furure profiles Shibboleth SAML current profiles Grid GSI SSL X.509 & Proxy Certs OGSA SOA WS ws-security Current focus in ARCS Authorisation: Authorisation Rights Mgnt: Authorisation processing: XACML? ARCS Access Service CoManage, Grouper, PerMIT?
49 End of Presenta7on Ques7ons? Thankyou
SLCS and VASH Service Interoperability of Shibboleth and glite
SLCS and VASH Service Interoperability of Shibboleth and glite Christoph Witzig, SWITCH (witzig@switch.ch) www.eu-egee.org NREN Grid Workshop Nov 30th, 2007 - Malaga EGEE and glite are registered trademarks
More informationEGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti
EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/
More informationGoal. TeraGrid. Challenges. Federated Login to TeraGrid
Goal Federated Login to Jim Basney Terry Fleury Von Welch Enable researchers to use the authentication method of their home organization for access to Researchers don t need to use -specific credentials
More informationAn introduc/on to Sir0i
Authen4ca4on and Authorisa4on for Research and Collabora4on An introduc/on to Sir0i Addressing Federated Security Incident Response Hannah Short CERN hannah.short@cern.ch TF-CSIRT May, 2016 Agenda Federated
More informationGuidelines on non-browser access
Published Date: 13-06-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1 AARC-JRA1.4F https://aarc-project.eu/wp-content/uploads/2017/03/aarc-jra1.4f.pdf 1 Table of Contents 1 Introduction
More informationREsources linkage for E-scIence - RENKEI -
REsources linkage for E-scIence - - hlp://www.e- sciren.org/ REsources linkage for E- science () is a research and development project for new middleware technologies to enable e- science communi?es. ""
More informationSAML-Based SSO Configuration
Prerequisites, page 1 SAML SSO Configuration Task Flow, page 5 Reconfigure OpenAM SSO to SAML SSO Following an Upgrade, page 9 SAML SSO Deployment Interactions and Restrictions, page 9 Prerequisites NTP
More informationAPAN 25 Middleware Session, Hawaii Jan.24, 2008 Japanese University PKI (UPKI) Update and Shibboleth using PKI authentication
APAN 25 Middleware Session, Hawaii Jan.24, 2008 Japanese University (U) Update and Shibboleth using authentication National Institute of Informatics, JAPAN Toshiyuki Kataoka, Shigeki Tanimoto, Masaki Shimaoka
More informationBest practices and recommendations for attribute translation from federated authentication to X.509 credentials
Best practices and recommendations for attribute translation from federated authentication to X.509 credentials Published Date: 13-06-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1
More informationGLOBUS TOOLKIT SECURITY
GLOBUS TOOLKIT SECURITY Plamen Alexandrov, ISI Masters Student Softwarepark Hagenberg, January 24, 2009 TABLE OF CONTENTS Introduction (3-5) Grid Security Infrastructure (6-15) Transport & Message-level
More informationShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS
ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS Joseph Olufemi Dada & Andrew McNab School of Physics and Astronomy,
More informationAAI in EGI Current status
AAI in EGI Current status Peter Solagna EGI.eu Operations Manager www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 User authentication
More informationHow the Cloud is Changing Federated Iden4ty Requirements. Patrick Harding CTO, Ping March 1, 2010
How the Cloud is Changing Federated Iden4ty Requirements Patrick Harding CTO, Ping Iden3ty @pingcto March 1, 2010 http://www.flickr.com/photos/quinnanya/2690873096/ The Return of Timesharing http://www.flickr.com/photos/quinnanya/2690873096/
More informationCredentials Management for Authentication in a Grid-Based E-Learning Platform
Credentials Management for Authentication in a Grid-Based E-Learning Platform Felicia Ionescu, Vlad Nae, Alexandru Gherega University Politehnica of Bucharest {fionescu, vnae, agherega}@tech.pub.ro Abstract
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationEUDAT & AAI. Daan Broeder MPI for Psycholinguistics
EUDAT & AAI Daan Broeder MPI for Psycholinguistics Initially six research communities on Board EPOS: European Plate Observatory System CLARIN: Common Language Resources and Technology Infrastructure ENES:
More informationFundamentals of Federated Iden0ty Infrastructure
Fundamentals of Federated Iden0ty Infrastructure Sal D Agos0no IDmachines LLC Federate fed er ate Verb past tense: federated; past participle: federated ˈfedəәˌrāt/ 1. (with reference to a number of states
More informationThe EGI AAI CheckIn Service
The EGI AAI CheckIn Service Kostas Koumantaros- GRNET On behalf of EGI-Engage JRA1.1 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number
More information30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy
Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy Why the Grid? Science is becoming increasingly digital and needs to deal with increasing amounts of
More informationLionShare: A Hybrid Secure Network for Academic Collaboration. Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine
LionShare: A Hybrid Secure Network for Academic Collaboration Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine Presentation Overview Brief LionShare Overview LionShare Security Overview Connecting
More informationCA SiteMinder Federation
CA SiteMinder Federation Legacy Federation Guide 12.52 SP1 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationThe Fedlet: Real World Examples
The Fedlet: Real World Examples Sun Iden(ty Management User Group 12 March 2009 Agenda BIT Systems Overview Federal Agency Architecture Iden>ty Federa>on Fedlet Introduc>on Enhancing Fedlet Capabili>es
More informationUnderstanding Cryptography and Audi?ng Public Key Infrastructures
Understanding Cryptography and Audi?ng Public Key Infrastructures Rami Elkinawy, Senior Audit Manager, ebay Professional Strategies S31 CRISC CGEIT CISM CISA THE HISTORY OF CRYPTOGRAPHY CRISC CGEIT CISM
More informationArcGIS Server and Portal for ArcGIS An Introduction to Security
ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015 Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context
More informationSAML-Based SSO Configuration
Prerequisites, page 1 SAML SSO Configuration Workflow, page 5 Reconfigure OpenAM SSO to SAML SSO After an Upgrade, page 9 Prerequisites NTP Setup In SAML SSO, Network Time Protocol (NTP) enables clock
More informationU.S. E-Authentication Interoperability Lab Engineer
Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer Agenda U.S. Federal E-Authentication Background Current State of PKI
More informationIntroduction to Grid Security
Introduction to Grid Security Mika Silander Helsinki Institute of Physics www.hip.fi T-106.5820 Grid Technologies and Applications TKK, Outline Background Functionality overview Virtual Organisations Certification
More informationHigher Education PKI Initiatives
Higher Education PKI Initiatives (Scott Rea) Securing the ecampus - Hanover NH July 28, 2009 Overview What are the drivers for PKI in Higher Education? Stronger authentication to resources and services
More informationMajor SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007
Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Tokens, Protocols, Bindings, and Profiles Tokens are requests and assertions Protocols bindings are communication
More informationIntegrating VMware Workspace ONE with Okta. VMware Workspace ONE
Integrating VMware Workspace ONE with Okta VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this
More informationOffice 365 and Azure Active Directory Identities In-depth
Office 365 and Azure Active Directory Identities In-depth Jethro Seghers Program Director SkySync #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM Agenda Introduction Identities Different forms of authentication
More informationGSI Online Credential Retrieval Requirements. Jim Basney
GSI Online Credential Retrieval Requirements Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/ Online Credential Retrieval Defined Client Server Authenticate Request Credential Verify
More informationMul$factor Iden$ty Verifica$on without Prior Rela$onship
The work reported here was sponsored by a SBIR Phase I grant from the US Department of Homeland Security. It does not necessarily reflect the posi$on or policy of the US Government. Mul$factor Iden$ty
More informationRCauth.eu / MasterPortal update
RCauth.eu / MasterPortal update Mischa Sallé msalle@nikhef.nl 5 th AARC face-to-face meeting, Aθηνα 21 March 2017 Mischa Sallé (Nikhef) 1 / 11 Reminder of motivation Access to X.509 resources made easy
More informationCILogon. Federating Non-Web Applications: An Update. Terry Fleury
Federating Non-Web Applications: An Update Terry Fleury tfleury@illinois.edu This material is based upon work supported by the National Science Foundation under grant number 0943633. Any opinions, findings,
More informationglobus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory
globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory Computation Institute (CI) Apply to challenging problems Accelerate by building the research
More informationUser Community Driven Development in Trust and Identity Services
User Community Driven Development in Trust and Identity Services Ann Harding, SWITCH Internet2 Global Summit 27 April 2015 Washington DCs Agenda Trust and Iden.ty Landscape GÉANT Research Community Engagement
More informationRaising Security and Trust in our Inter-Federated World
Authen4ca4on and Authorisa4on for Research and Collabora4on Raising Security and Trust in our Inter-Federated World Hannah Short IT-DI-CSO CERN ISGC, Taipei 12-18 March, 2016 Agenda The federated landscape
More informationIntegration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)
Integration Guide PingFederate SAML Integration Guide (SP-Initiated Workflow) Copyright Information 2018. SecureAuth is a registered trademark of SecureAuth Corporation. SecureAuth s IdP software, appliances,
More informationManaging Certificates
CHAPTER 12 The Cisco Identity Services Engine (Cisco ISE) relies on public key infrastructure (PKI) to provide secure communication for the following: Client and server authentication for Transport Layer
More informationFrom Continuous Integration To Continuous Delivery With Jenkins
From Continuous Integration To Continuous Delivery With Cyrille Le Clerc, Solution Architect, CloudBees About Me @cyrilleleclerc CTO Solu9on Architect Open Source Cyrille Le Clerc DevOps, Infra as Code,
More informationINDIGO AAI An overview and status update!
RIA-653549 INDIGO DataCloud INDIGO AAI An overview and status update! Andrea Ceccanti (INFN) on behalf of the INDIGO AAI Task Force! indigo-aai-tf@lists.indigo-datacloud.org INDIGO Datacloud An H2020 project
More informationVMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2
VMware Identity Manager Administration MAY 2018 VMware Identity Manager 3.2 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments
More informationGrid Authentication and Authorisation Issues. Ákos Frohner at CERN
Grid Authentication and Authorisation Issues Ákos Frohner at CERN Overview Setting the scene: requirements Old style authorisation: DN based gridmap-files Overview of the EDG components VO user management:
More informationIntegrating Federations in the International Grid Trust Fabric
Integrating Federations in the International Grid Trust Fabric David Groep Nikhef Dutch national institute for sub-atomic physics Grids, Eduroam, Federations Different terms, same issues How to provide
More informationGrid Security Infrastructure
Grid Computing Competence Center Grid Security Infrastructure Riccardo Murri Grid Computing Competence Center, Organisch-Chemisches Institut, University of Zurich Oct. 12, 2011 Facets of security Authentication
More informationFederated Authentication with Web Services Clients
Federated Authentication with Web Services Clients in the context of SAML based AAI federations Thomas Lenggenhager thomas.lenggenhager@switch.ch Mannheim, 8. March 2011 Overview SAML n-tier Delegation
More informationUsing the MyProxy Online Credential Repository
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu What is MyProxy? Independent Globus Toolkit add-on
More informationCA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5
CA SiteMinder Federation Manager Guide: Legacy Federation r12.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationAARC Assurance Profiles
Authen4ca4on and Authorisa4on for Research and Collabora4on AARC Assurance Profiles Addressing Federated Security Incident Response Hannah Short CERN hannah.short@cern.ch Kantara April 7 th, 2016 Agenda
More informationGrids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan
Grids and Security Ian Neilson Grid Deployment Group CERN TF-CSIRT London 27 Jan 2004-1 TOC Background Grids Grid Projects Some Technical Aspects The three or four A s Some Operational Aspects Security
More informationJBoss DNA. Randall Hauch Principal Software Engineer JBoss Data Services
JBoss DNA Randall Hauch Principal Software Engineer JBoss Data Services 1 JBoss DNA New project A few months old http://labs.jboss.org/dna Prior repository experience and IP MetaMatrix Repository Drools
More informationCoG: The NEW ESGF WEB USER INTERFACE
CoG: The NEW ESGF WEB USER INTERFACE ESGF F2F Workshop, Livermore, CA, December 2014 Luca Cinquini [1], Cecelia DeLuca [2], Sylvia Murphy [2] [1] California Ins/tute of Technology & NASA Jet Propulsion
More informationDataONE Cyberinfrastructure. Ma# Jones Dave Vieglais Bruce Wilson
DataONE Cyberinfrastructure Ma# Jones Dave Vieglais Bruce Wilson Foremost a Federa9on Member Nodes (MNs) Heart of the federa9on Harness the power of local cura9on Coordina9ng Nodes (CNs) Services to link
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name:_Unversity of Regina Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationFederated access to Grid resources
Federated access to Grid resources http://tinyurl.com/loubf Keith Hazelton (hazelton@wisc.edu) Internet2 Middleware Architecture Comm. for Ed. APAN, Singapore, 19-July-06 Topics http://tinyurl.com/loubf
More informationEnabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI
EGEE security pitch Olle Mulmo EGEE Chief Security Architect KTH, Sweden www.eu-egee.org Project PR www.eu-egee.org EGEE EGEE is the largest Grid infrastructure project in the World? : 70 leading institutions
More informationAuthentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.
Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November 3th, 2005 Von Welch vwelch@ncsa.uiuc.edu Outline
More informationPublic Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman
Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman Agenda Objectives PKI Features etrust Components Government eservices Oman National
More informationWarm Up to Identity Protocol Soup
Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital
More informationOpenIAM Identity and Access Manager Technical Architecture Overview
OpenIAM Identity and Access Manager Technical Architecture Overview Overview... 3 Architecture... 3 Common Use Case Description... 3 Identity and Access Middleware... 5 Enterprise Service Bus (ESB)...
More informationCon$nuous Integra$on Development Environment. Kovács Gábor
Con$nuous Integra$on Development Environment Kovács Gábor kovacsg@tmit.bme.hu Before we start anything Select a language Set up conven$ons Select development tools Set up development environment Set up
More informationCILogon Project
CILogon Project GlobusWORLD 2010 Jim Basney jbasney@illinois.edu National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationVMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1
VMware Workspace ONE Quick Configuration Guide VMware AirWatch 9.1 A P R I L 2 0 1 7 V 2 Revision Table The following table lists revisions to this guide since the April 2017 release Date April 2017 June
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationInside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1
Inside Symantec O 3 Sergi Isasi Senior Manager, Product Management SR B30 - Inside Symantec O3 1 Agenda 2 Cloud: Opportunity And Challenge Cloud Private Cloud We should embrace the Cloud to respond to
More informationCA SiteMinder Federation
CA SiteMinder Federation Partnership Federation Guide 12.52 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationCredential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003
Credential Management in the Grid Security Infrastructure GlobusWorld Security Workshop January 16, 2003 Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/ Credential Management Enrollment:
More informationFederated access to e-infrastructures worldwide
Federated access to e-infrastructures worldwide Marco Fargetta, INFN Catania - Italy (marco.fargetta@ct.infn.it) DCIs developed in the last decade 2 Evolution Research organisations are moving to cloud
More informationCon$nuous Audi$ng and Risk Management in Cloud Compu$ng
Con$nuous Audi$ng and Risk Management in Cloud Compu$ng Marcus Spies Chair of Knowledge Management LMU University of Munich Scien$fic / Technical Director of EU Integrated Research Project MUSING Cloud
More informationConfiguring Single Sign-on from the VMware Identity Manager Service to Marketo
Configuring Single Sign-on from the VMware Identity Manager Service to Marketo VMware Identity Manager JANUARY 2016 V1 Configuring Single Sign-On from VMware Identity Manager to Marketo Table of Contents
More informationglobus online The Galaxy Project and Globus Online
globus online The Galaxy Project and Globus Online Ravi K Madduri Argonne National Lab University of Chicago Outline What is Globus Online? Globus Online and Sequencing Centers What is Galaxy? Integra;ng
More informationRamnish Singh IT Advisor Microsoft Corporation Session Code:
Ramnish Singh IT Advisor Microsoft Corporation Session Code: Agenda Microsoft s Identity and Access Strategy Geneva Claims Based Access User access challenges Identity Metasystem and claims solution Introducing
More informationNew open source CA development as Grid research platform.
New open source CA development as Grid research platform. National Research Grid Initiative in Japan Takuto Okuno. 1 About NAREGI PKI Group (WP5) 2 NAREGI Authentication Service Perspective To develop
More informationSAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)
SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1) First Published: 2017-08-31 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706
More informationSetting Up the Server
Managing Licenses, page 1 Cross-launch from Prime Collaboration Provisioning, page 5 Integrating Prime Collaboration Servers, page 6 Single Sign-On for Prime Collaboration, page 7 Changing the SSL Port,
More informationIntroduction to SciTokens
Introduction to SciTokens Brian Bockelman, On Behalf of the SciTokens Team https://scitokens.org This material is based upon work supported by the National Science Foundation under Grant No. 1738962. Any
More informationPKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006
PKI-An Operational Perspective NANOG 38 ARIN XVIII October 10, 2006 Briefing Contents PKI Usage Benefits Constituency Acceptance Specific Discussion of Requirements Certificate Policy Certificate Policy
More informationNetwork Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More informationCloud Secure Integration with ADFS. Deployment Guide
Cloud Secure Integration with ADFS Deployment Guide Product Release 8.3R3 Document Revisions 1.0 Published Date October 2017 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose CA 95134 http://www.pulsesecure.net
More informationCAREER PATH FOR THE NEXT GENERATION RECORDS MANAGER
CAREER PATH FOR THE NEXT GENERATION RECORDS MANAGER San Jose State University October 1,2014 Presented by: Jim Merrifield, IGP, CIP, ERMs Jim Merrifield, IGP, CIP, ERMs Director of Informa.on Governance
More informationConfigure Unsanctioned Device Access Control
Configure Unsanctioned Device Access Control paloaltonetworks.com/documentation Contact Information Corporate Headquarters: Palo Alto Networks 3000 Tannery Way Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-support
More informationCrea%ng a SARNET Alliance by applying the Service Provider Group Framework and by using the Ciena/GENI testbed
Crea%ng a SARNET Alliance by applying the Service Provider Group Framework and by using the Ciena/GENI testbed April 29 th 2015 Leon Gommans: leon.gommans@klm.com Content - Introduc@on - Security Autonomous
More informationInstalling and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.
Installing and Configuring VMware Identity Manager Connector 2018.8.1.0 (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on
More informationModifying an Exis.ng Commercial Product for Cryptographic Module Evalua.on
Modifying an Exis.ng Commercial Product for Cryptographic Module Evalua.on ICMC16 O?awa, Canada 18-20 May 2016 Presented by Alan Gornall Introduc.on I provide cer.fica.on support to my clients: compliance
More informationIVOA/AstroGrid SSO system and Grid standards
IVOA/AstroGrid SSO system and Grid standards Guy Rixon and Keith Noddle Presentation to Astro-RG at GGF17 IVOA/AstroGrid SSO system and Grid standards; Astro-RG session, GGF17, Tokyo, May 2006 Slide 1
More informationGrouper Working Group
Grouper Working Group Agenda Internet2 IPR, agenda bash" Grouper v2.0 in brief" Whoʼs using Grouper? Survey take aways" Focus on v2.x: current plans & discussion" Grouper & OSIdM4HE" Your items " 2" October
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Royal Society of Chemistry Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationCLI users are not listed on the Cisco Prime Collaboration User Management page.
Cisco Prime Collaboration supports creation of user roles. A user can be assigned the Super Administrator role. A Super Administrator can perform tasks that both system administrator and network administrator
More informationIMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.
IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS VMware Identity Manager February 2017 V1 1 2 Table of Contents Overview... 5 Benefits of BIG-IP APM and Identity
More informationVMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager
VMware Identity Manager Cloud Deployment DEC 2017 VMware AirWatch 9.2 VMware Identity Manager You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationVMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager
VMware Identity Manager Cloud Deployment Modified on 01 OCT 2017 VMware Identity Manager You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The
More informationSetting Up Resources in VMware Identity Manager
Setting Up Resources in VMware Identity Manager VMware Identity Manager 2.7 This document supports the version of each product listed and supports all subsequent versions until the document is replaced
More informationCloud Adop)on, Risks & Security & GDPR An Ac)on Guide
April 2016 Cloud Adop)on, Risks & Security & GDPR An Ac)on Guide Nigel Hawthorn, Skyhigh Networks Cloud Adop)on and Risk Agenda Skyhigh Networks An Introduc)on European Cloud Adop)on and Risk Report Q1
More informationCA CloudMinder. SSO Partnership Federation Guide 1.51
CA CloudMinder SSO Partnership Federation Guide 1.51 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationWebthority can provide single sign-on to web applications using one of the following authentication methods:
Webthority HOW TO Configure Web Single Sign-On Webthority can provide single sign-on to web applications using one of the following authentication methods: HTTP authentication (for example Kerberos, NTLM,
More informationUnified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration
Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration Contents Introduction Requirements Components Used Part A. SSO Message Flow Part B. Certificates Used in IDP
More informationThe AAF - Supporting Greener Collaboration
SPUSC 2008 SOUTH PACIFIC USER SERVICES CONFERENCE The AAF - Supporting Greener Collaboration Stuart Allen MAMS MELCOE Macquarie University sallen@melcoe.mq.edu.au What is the AAF? The Australian Access
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More information